pyrox.dev / nixpkgs
lol
fork atom

nixos/podman: use nftables as firewall driver when enabled (#365847)

Sandro 696de4eb 5e4a8ab0

options
unified split
Changed files
+8 -3
nixos
modules
virtualisation
podman
default.nix
pkgs
by-name
po
podman
package.nix
+8 -1
nixos/modules/virtualisation/podman/default.nix 
···

       
232

       
232

       
 

       
      # containers cannot reach aardvark-dns otherwise


     

       
233

       
233

       
 

       
      networking.firewall.interfaces.${network_interface}.allowedUDPPorts = lib.mkIf dns_enabled [ 53 ];


     

       
234

       
234

       
 

       



     

       

       
235

       
+

       
      virtualisation.podman.extraPackages = [


     

       

       
236

       
+

       
        pkgs.iptables


     

       

       
237

       
+

       
      ]


     

       

       
238

       
+

       
      ++ lib.optional config.networking.nftables.enable pkgs.nftables;


     

       
235

       
239

       
 

       
      virtualisation.containers = {


     

       
236

       
240

       
 

       
        enable = true; # Enable common /etc/containers configuration


     

       
237

       
241

       
 

       
        containersConf.settings = {


     

       
238

       

       
-

       
          network.network_backend = "netavark";


     

       

       
242

       
+

       
          network = {


     

       

       
243

       
+

       
            network_backend = "netavark";


     

       

       
244

       
+

       
            firewall_driver = lib.mkIf config.networking.nftables.enable "nftables";


     

       

       
245

       
+

       
          };


     

       
239

       
246

       
 

       
        };


     

       
240

       
247

       
 

       
      };


     

       
241

       
248
-2
pkgs/by-name/po/podman/package.nix 
···

       
25

       
25

       
 

       
  extraRuntimes ? lib.optionals stdenv.hostPlatform.isLinux [ runc ], # e.g.: runc, gvisor, youki


     

       
26

       
26

       
 

       
  fuse-overlayfs,


     

       
27

       
27

       
 

       
  util-linuxMinimal,


     

       
28

       

       
-

       
  iptables,


     

       
29

       
28

       
 

       
  iproute2,


     

       
30

       
29

       
 

       
  catatonit,


     

       
31

       
30

       
 

       
  gvproxy,


     
···

       
43

       
42

       
 

       
    lib.optionals stdenv.hostPlatform.isLinux [


     

       
44

       
43

       
 

       
      fuse-overlayfs


     

       
45

       
44

       
 

       
      util-linuxMinimal


     

       
46

       

       
-

       
      iptables


     

       
47

       
45

       
 

       
      iproute2


     

       
48

       
46

       
 

       
    ]


     

       
49

       
47

       
 

       
    ++ lib.optionals stdenv.hostPlatform.isDarwin [